geronimo-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From David Jencks <david_jen...@yahoo.com>
Subject Re: Plaintext passwords in Geronimo plans and config files
Date Thu, 22 Feb 2007 17:47:14 GMT

On Feb 22, 2007, at 9:35 AM, Aaron Mulder wrote:

> There is some built-in encryption available.  My recollection was that
> the server tried to apply it to settings with "password" in the name,
> but it may have changed in 1.2-beta.

I haven't found the code that does this, but I think that it encrypts  
config.xml rather than any plans.  I could be very wrong although  
since plans aren't needed at runtime I can't see how encryption could  
be applied to them.

thanks
david jencks

>
> Thanks,
>       Aaron
>
> On 2/22/07, Aman Nanner/MxI Technologies <aman.nanner@mxi.com> wrote:
>>
>> Hi,
>>
>> I have noticed that passwords in plans and configuration files in  
>> Geronimo
>> (1.2-beta) are not encrypted by the server, and remain in  
>> plaintext.  For
>> example, passwords in:
>>
>> 1) Datasource connector plans
>> 2) ActiveMQ connector plans
>> 3) TomcatWebSSL Keystore passwords
>> 4) Geronimo properties realm passwords
>>
>> Having these plaintext passwords in these configuration files pose an
>> inherent security risk that would prevent us from deploying  
>> Geronimo out to
>> customer sites.  Are there any plans to have all these passwords  
>> encrypted?
>>
>> Thanks,
>> Aman
>>
>> _____________________________________________________________________ 
>> _____________
>> * This message is intended only for the use of the individual or  
>> entity to which it is addressed, and may contain information that  
>> is privileged, confidential and exempt from disclosure under  
>> applicable law. Unless you are the addressee (or authorized to  
>> receive for the addressee), you may not use, copy or disclose the  
>> message or any information contained in the message. If you have  
>> received this message in error, please advise the sender by reply  
>> e-mail , and delete the message, or call (collect) 001 613 747  
>> 4698. *
>>
>>


Mime
View raw message